Face it: Those of us using WordPress need to start paying more attention to security. The days of 'set-and-forget' are long gone. WordPress has become the low-hanging fuit for hackers. Automated bots scour the internet looking for vulnerable WordPress websites.
I'm pretty impressed with Sucuri.net - enough so that we recommend them and have clients using their services.
Sucuri will scan your WordPress website periodically to see if any files have been changed, added, or deleted, looking for malware at the same time.
It also monitors login attempts and automatically locks out offending IP addresses after 5 attempts. One of the interesting things Sucuri does is to check these offending IP addresses against its global database.
Sucuri also offers a 'cleaning service' to remove most of the common malware infections.
Sucuri's services are pretty affordable ($99/yr for a single website). Considering the implications of waking of some morning to discover that malware in your website has been infecting your vistors' computer, that's pretty inexpensive
DIsclaimer: LInks to Sucuri.net in this article are affiliate links.